PRP: Secret extractor for Grafana Cloud API + Grafana Service Account

[impszi95]

Overview
Add two new secret detectors for Grafana tokens: Grafana Cloud API Token and Grafana Service Account Token.

Popularity of Secret/Service
Grafana is used by millions of organizations worldwide for monitoring, logging, and observability.
Attackers can impersonate service accounts and gain access to Grafana instances with the same permissions as the compromised account.

Validation Method

• Grafana Cloud API Token Validator: Queries https://www.grafana.com/api/v1/tokens with the token to verify it's associated with a valid Grafana Cloud account.

• For Service account, a stack is searched and used as validation f.e.: xyz.grafana.net/api/user/.

regex:
Service Account: glsa_[A-Za-z0-9_-]{30,50}
Cloud: glc_[0-9a-zA-Z+/=]{110,130}

[github-actions]

Welcome to the OSV-SCALIBR patch reward program!
Your issue has been added to our triage queue and will reviewed
shortly. The panel usually takes a decision once per week, so it
can take up to a week before you hear back from us, sometimes longer
depending on available capacity.
Please, do not start the work until the panel has reached a
decision. Although we always welcome contributions, unapproved
work is not eligible for a reward.
~The OSV-SCALIBR PRP team

[impszi95]

Additional references:
https://grafana.com/blog/new-in-grafana-9-1-service-accounts-are-now-ga/